Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Summary

Windows updates released on and after October 11, 2022, contain additional protections introduced by CVE-2022-38042. These protections intentionally prevent domain join operations from reusing an existing computer account in the target domain unless:

  1. The user attempting the operation is the creator of the existing account.

    OR

  2. The computer was created by a member of domain administrators.

Legacy behavior

Before you install the October 11, 2022, or later cumulative updates, the client computer queries Active Directory for an existing account with the same name. This query occurs during domain join and computer account provisioning. If such an account exists, the client will automatically attempt to reuse it.

Note The reuse attempt will fail if the user who attempts the domain join operation does not have the appropriate write permissions. However, if the user has enough permissions the domain join will succeed.

There are two scenarios for domain join with respective default behaviors and flags as follows:

New behavior 

Once you install the October 11, 2022, or later Windows cumulative updates on a client computer, during domain join, the client will perform additional security checks before attempting to reuse an existing computer account.

Algorithm:

  1. Account reuse attempt will be permitted if the user attempting the operation is the creator of the existing account.

  2. Account reuse attempt will be permitted if the account was created by a member of domain administrators.

These additional security checks are done before attempting to join the computer. If the checks are successful, the rest of the join operation is subject to Active Directory permissions as before.

This change does not affect new accounts.

Note After installing the October 11, 2022, or later Windows cumulative updates, domain join with computer account reuse might intentionally fail with the following error:

Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.”

If so, the account is intentionally being protected by the new behavior.

Event ID 4101 will be triggered once the error above occurs and the issue will be logged in c:\windows\debug\netsetup.log. Please follow the steps below in Take Action to understand the failure and resolve the issue.

Take Action

Review computer account provisioning workflows and understand if changes are required.

  1. Perform the join operation using the same account that created the computer account in the target domain.

  2. If the existing account is stale (unused), delete it before attempting to join the domain again.

  3. Rename the computer and join using a different account that doesn’t already exist.

  4. If the existing account is owned by a trusted security principal and an administrator wants to reuse the account, they might do so by temporarily setting the following registry key at the individual client computer level. Then immediately remove the registry setting after the join operation is complete. No restart is necessary for changes to the registry key to take effect.

Path

HKLM\System\CurrentControlSet\Control\LSA

Type

REG_DWORD

Name

NetJoinLegacyAccountReuse

Value

1

Other values are ignored.

Important guidance for using option 4

Caution: If you choose to set this key to work around these protections, you will leave your environment vulnerable to CVE-2022-38042 unless your scenario is referenced below as appropriate. Do not use this method without confirmation that the Creator/Owner of the existing computer object is a secure and trusted security principal. 

It is appropriate to use solution 4 in the following scenarios:

  1. An IT admin with delegated permissions needs to rejoin a computer to the target domain for troubleshooting purposes and the original account creator is a trusted account.

    OR

  2. A deployment scenario in which computer accounts are created before using a dedicated service account (such as SCCM or other software) and the domain join is performed by a second dedicated account with delegated domain-join permissions (for example, "This account is allowed to join this computer to the domain").

Microsoft might remove support for the NetJoinLegacyAccountReuse registry setting in a future update and replace it with an alternative method. This article will be updated if and when such changes take place.

Nonsolutions

  • Do not add service accounts or provisioning accounts to the Domain Admins security group.

  • Do not manually edit the security descriptor on computer accounts in an attempt to redefine the ownership of such accounts. While editing the owner will enable the new checks to succeed, the computer account might retain the same potentially risky, unwanted permissions for the original owner unless explicitly reviewed and removed.

  • Do not add the NetJoinLegacyAccountReuse registry key to base OS images because the key should only be temporarily added and then removed directly after the domain join completes.

New event logs

Event log

SYSTEM
 

Event Source

Netjoin

Event ID

4100

Event Type

Informational

Event Text

"During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name.%nAn attempt to re-use this account was permitted. %n%nDomain controller searched: %1%nExisting computer account DN: %2%n%nSee https://go.microsoft.com/fwlink/?linkid=2202145 for more information.

Event log

SYSTEM

Event Source

Netjoin

Event ID

4101

Event Type

Error

Event Text

"During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name.%nAn attempt to re-use this account was prevented for security reasons.%n%nDomain controller searched: %1%nExisting computer account DN: %2%nThe error code was %3.%n%nSee https://go.microsoft.com/fwlink/?linkid=2202145 for more information."

Debug logging is available by default (no need to enable any verbose logging) in C:\Windows\Debug\netsetup.log on all client computers.

Example of the debug logging generated when the reuse of the account is prevented for security reasons:

NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=Computer2,CN=Computers,DC=contoso,DC=com
NetpGetADObjectOwnerAttributes: Looking up attributes for machine account: CN=Computer2,CN=Computers,DC=contoso,DC=com
NetpCheckIfAccountShouldBeReused: Account was created through joinpriv and does not belong to this user. Blocking re-use of account.
NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0
NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac
NetpProvisionComputerAccount: LDAP creation failed: 0xaac
ldap_unbind status: 0x0
NetpJoinCreatePackagePart: status:0xaac.
NetpJoinDomainOnDs: Function exits with status of: 0xaac
NetpJoinDomainOnDs: status of disconnecting from '\\DC1.contoso.com': 0x0
NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'contoso.com' returned 0x0
NetpJoinDomainOnDs: NetpResetIDNEncoding on 'contoso.com': 0x0
NetpDoDomainJoin: status: 0xaac

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×